We need to set the DKIM key length in SendGrid to 1024.
I have looked through the sendgrid management portal in Settings, Sender Authentication.
Where is the setting for this?
Currently SendGrid defaults to 1024 bit key length, so you will not need to adjust anything.
Related
If I have a domain example.com that is using gsuite (DNS settings at registrar has gmail cnames, spf & txt records etc) and I have another service sending on behalf of the domain (Klaviyo). Do the gmail DKIM and DMARC settings help to strengthen the deliverability of those emails sent by the other service (Klaviyo)?
To answer your question: A DMARC reject or quarantine policy helps improve deliverability for all parties that send on behalf of your domain AND properly authenticate by SPF or DKIM, in alignment with your domain.
DKIM consists of a cryptographic key pair. You publish the public key on the Internet and you use the private key to sign headers of your outbound emails. This signing is done on the sending server. So unless Klaviyo is using Google servers to relay your messages, those messages are not being DKIM signed by Google.
You should follow the instructions provided by Klaviyo here, so that the emails you send from their platform, using your email domain, will authenticate properly and will NOT fail DMARC.
Update:
Say you own the domain myexample.com, then you should publish a TXT record at the root of that domain that looks like "v=spf1 include:_spf.google.com ~all". Additionally you can add any other services or servers to this record as you see fit. You don't need to add Klaviyo to your SPF record as they will try to authenticate from the send.myexample.com domain used in the bounce address. That is what you created the first CNAME for. It redirects to an SPF (and MX) record hosted at Sendgrid. Additionally, Klaviyo will authenticate those emails using DKIM.
In order to make DMARC work, you need to publish another TXT record at _dmarc.myexample.com, if you haven't already, looking like: "v=DMARC1;p=none;rua=mailto:DMARC#myexample.com;". Then you'll start receiving aggregate reports at the mailbox you supplied. Once you're confident you've included all required parties in your authentication scheme, you can move to a p=reject policy in order to protect your domain.
Yes, DKIM and DMARC settings do help deliverability.
I assume that Klaviyo does what my company Autoklose is doing as well, and that's using Gmail API to send the email in your name. That means that they only indirectly affect the sending process and the email itself is sent from Google servers and not Klaviyo's servers.
Also, you have to be aware that DKIM & DMARC are only two of the factors in successfully delivering your email. For example, having DKIM & DMARC correctly set gets you positive points but if your domain is blacklisted, it still might not get delivered.
I would like to have a DMARC Reject policy, but having some issues making it pass.
We use google apps/mail for our domain and use 2 third party email providers who send e-mails as us. I'm trying to make one of them work for now and to understand the process so i can add the second easily.
I'd like to understand how to allow them to pass DMARC.
Right now SPF and DKIM both pass (as per DMARC report), but with a reject policy - it stops with "fail-unaligned"
Trying to understand the details HERE, I believe i need to create a subdomain dns record "email.mydomain.com" and set the From Address in the third party service to be "info#email.mydomain.com". However I'm unsure how i need to setup the DNS.
Do i need to create only a TXT record with SPF in it?
Do i need to create a CNAME email.mydomain.com?
I'm trying to be strict with reject policy so i can learn how to keep things in control, so i would appreciate some tips.
strict alignment means you need an exact domain match. The DKIM d=same domain name space as the visible headers (envelope) headers that indicate the From Name.
Relaxed alignment enables you to have sub-domains.
A solution is to check your ESP documentation to see if you can just add a custom return path (bounce header) that points to the ESP's bounce header (bouncerzzzz.example.com). Note: You'd do in your DNS.
Or you might have to just ask your ESP to sign your emails with a custom DKIM key. You'd publish the public key in your DNS. This is a fairly common approach.
I'd back off from the reject policy for a while, using "reporting" maybe for a month or two. It's good to make sure things are all working and you know who should be using your domains in email and who's using it for nefarious purposes. Get a lay of the land, then set to reject.
I am having a little trouble figuring out this process. I can manage to get the DNS records set up for the DMARC, DKIM and SPF. I get lost with what i am trying to do with the private key for the DKIM. Currently i am using a dedicated server offered by 1and1.com. if someone can give me a quick walk through i would really appreciate it.
The website i am currently making sends out scheduled emails plus emails on behalf of users. Some of them are being blocked by Hotmail and other email providers. I understand that adding these protocols will increase the likelihood that the emails reach their intended targets. If there are any other mechanisms that can accomplish this as well, i would greatly appreciate a heads up.
i use the built in php mail method to send emails (i do not want to incorporate a third party plugin to do something that php already does and works pretty well)
thanks
Yes, you can set DMARC on 1and1. Set:
Type: txt
Prefix: _dmarc
Value: v=DMARC1; p=none; sp=none; rua=mailto:yourmail#hotmail.com;
ruf=mailto:yourmail#hotmail.com; rf=afrf; pct=100; ri=86400;
Change the 2 emails
You can't set up DMARC or DKIM on 1&1 DNS, they don't allow underscores (_) in sub-domains in their DNS records.
Sorry for the bad news. They are the only hosting provider I know about that doesn't allow underscores (unless something changed recently)
DMARC is easy to set up just use this DMARC Wizard
DKIM is something that you need to set up with email software program you're using to send mail (which you didn't tell us what you're using) - I'm guessing postfix or exim?
We have automated email alerts from a web application hosted on a VPS. Google is marking our outgoing emails from server as SPAM. So, none of our users with a GMail account are receiving the emails.
I have done the required settings for SPF & DKIM, but to no avail.
On viewing the header of the emails, I see the following message against DKIM
dkim=neutral (invalid public key) header.i=#domain.com
I cannot make out what is wrong here. Please help.
Double check your dkim public-key in TXT record and compare it with the key from the key generation program.
This error means that your public and private keys are not suitable.
We have a website where we allow you to reset your password (say if you forget your password). This is standard on many websites. Basically you enter your email address which you've used to register on our website, then we send you an email containing an email reset link.
This is all standard stuff. However, the problem is: Gmail somehow thinks this email we send to the user is spam, and puts it in the Spam folder.
The specific message Gmail shows is:
Be careful with this message. Our systems couldn't verify that this message
was really sent by xyz.com. You might want to avoid clicking links or replying
with personal information.
Let me explain how we send the email. We use the company sendgrid.com to deliver
the emails. xyz.com is a domain we control. (xyz is a pseudo-name here.)
The email's from address is: do-not-reply#xyz.com
We have changed xyz.com's SPF record to include "sendgrid.com" (and "sendgrid.net" "sendgrid.me").
There's no website associated with xyz.com, however.
My question is: what else can we do to make Gmail believe the email is from the domain xyz.com? So it doesn't put the email in the spam folder?
Thank you.
Did you end up publishing DKIM with Sendgrid? Also, I have a feeling your SPF record isn't quite right as generally there's one official entry per email provider. You mention adding several. I'd recommend looking at their docs for exactly what they recommend publishing in your SPF. Do this for any provider you use for any kind of email.
Since you mentioned Sendgrid as your ESP, here are Sendgrid's instructions. Once you've done the DNS you have to ask Sendgrid to "sign" it. Since DKIM uses cryptography you'll need them to do their side.
DKIM's less complicated than it sounds. The DNS records you have to add will take a few minutes then presumably open a ticket to Sendgrid to have them do their side.
Also, as an aside, could you post what you have for your SPF record here? I don't mean your domain but what the value is? It's not directly causing the problem but it's a key component of email authentication.
Once you've completed SPF and DKIM, it is critical you validate them both. Do a search for SPF validates and DKIM validator to find online tools.